This can be injection attacked with a simple ‘curl’ command. There is a hard coded username and password for uploading firmware. Summer Baby Zoom WiFi. “Secure” baby monitoring device according to their marketing.You can use the built-in media app to inject through its SMB mounting feature. The team giving the talk put an app on the Play store to get root but Google pulled it down (apparently they don’t like apps that crack their precious hardware). You can pull down an app, inject your symlink, and dump your own commands onto the device to open a root shell. You can inject a command via the web interface IPtables field to bring down that firewall. ssh is already running (LAN only) but it is firewalled by default. You can even inject via the nickname of the box to run commands as root. You can also get into the root shell for a second or two during boot. You can interrupt the boot loader through the UART. PogoPlug can be attacked with injection via web interface.This is done over a USB network connection. Motorola RAZR LTE Baseband (processor separate from Android).This is best described as poorly implemented user interfaces places you can enter text that don’t scrub for commands. Whether you know the term or not you should already be familiar with injection attacks. Hisense Android TV (rebranded Google TV).Here’s some devices pwned with this method: Usually you get at the pins by soldering to nearby resistors. If you can patch into the data lines you can own the data on the device and monitor transactions. Staples Connect: wifi, zigbee (UART) - short out pins 29 and 30 on the NAND chip corrupts the U-Boot at power-up and gives U-Boot access which is an easy avenue to opening a root console.ĮMMC is basically an SD card on a chip.Give it your own crafted U-boot image and you pwn the device. Research discovered this is U-Boot file which the device is looking. The UART header is actually populated on this! File transporter (cloud/nas was a kickstarter by drobo).Greenwave reality smart bulbs ship with open U-boot which will let you issue commands at boot up to open root shell access.Epson Artisan 700/800 printer and the Belkin Wemo both have UART exploits.Since pretty much everything runs Linux so once you have a serial connect pwning the device is familiar. Most often they are 3 or 4 pins in a line or a square. UART connections on a PCB are usually pretty easy to spot. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public). If you don’t recognize the name, this is the group that hacked the GoogleTV. This morning I went to a fantastic talk called Hack All the Things.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |